Https / cors & iis

Hello there,

I configured a custom AppSettings.json in order to enable Windows Authentication

  "Authentication" : {
     "Windows": {
       "Enabled": "true"

since then, I can’t authenticate using AppTokens anymore and I have [INF] messages stating that CORS Policies execution fails [INF] CORS policy execution failed. (09b6f179)

This situation is a bit problematic as in this situation, it’s no longer possible to connect to the server using the cmdlets. After using Connect-PSUServer -ComputerName "https://myserver.domain.local all commandlets are returning Get-UAGitStatus: Call failed with status code 401 (Unauthorized): GET https://myserver.domain.local/api/v1/GitStatus

I don’t know how you did handle the CORS within the kestrel, do you have any inputs on this ?

While IIS and appsettings.json are configured to use HTTPS it seems when I querying the headers using the API, I got information as follow:

X-Original-Proto : http
X-Original-For :

I guess the X-Original-For is due to how iis handles the webserver?

If you have any ideas, they are more than welcome :slight_smile: I’ll keep looking around if I find anything.

Cheers !

We currently don’t have the ability to configure CORS but we should add that. As for the the cmdlets, you should still be able to use AppTokens but since you can’t that seems like a bug. We should probably also use the default credentials but that’s currently not possible. I’ll add a -UseDefaultCredentials to the cmdlets.

I guess the  `X-Original-For`  is due to how iis handles the webserver?

Yep. It’s proxying from HTTPS to HTTP on that internal port and sending it to PSU.

hey @adam,

Found this post it seems like it matches the issue I’m facing when Windows Authentication is activated on IIS.

what do you think ?

well, it seems that if you “only” re-enable “Anonymous Authentication” on IIS, bearer token authentication still functioning again…


Hmmm. Yeah that seems like it makes sense. I think enabling anonymous would allow the token to get through the IIS auth layer and then use the authentication within PSU rather than windows auth.

@adam any update to PSUD with custom CORS headers.

Access-Control-Allow-Origin: *

@adam I’m also curious if there’s any update to supporting CORS

In appsettings.json, you can set CORS hosts.


Hosts should be separated by semicolon. Any host added to this list will be allowed any cred, method or header.

1 Like

Hi, is it possible anyhow to use wildcards in Allowed hosts?

Not at the moment. It looks like we need to enable wildcard support in PSU for this to work.